Cyprus is dancing in the rhythms of… EU OPEN BANKING!





24.01.18



Legal awareness or legal literacy helps to promote consciousness of legal culture, helps people to realize their rights, duties and entitlements, empowers people to demand justice, accountability and effective remedies at all levels, and encourages and promotes participation in the law making.





On the 13th January 2018, Open Banking services came into force in Europe through the introduction of the Payment Services Directive II (PSD2) which requires banks and other financial institutions to share data with third party financial providers.


This new directive on payment services in the internal market updates the existing legal and regulatory framework for payment services in the EEA by taking into account, among other, the current fintech environment, new types of payment services in the card, internet and mobile payment markets, new technology players in the financial services market and their impact on the incumbents as well as the impact of their innovative products and services on the customers’ expectations and experience.


More specifically, Title IV of PSD2 introduces new provisions to payment services legislation in the form of rights for payers to use third party providers (TPPs) providing for the first time two newly regulated payment services:


-payment initiation services (PIS) and

-account information services (AIS)


These relate to payment instruments issued by payment service providers (PSPs) that do not manage the account of the payment service user (PSU), the consumer.


Therefore, as said, two new types of payment services are provided for in the new directive and consequently, two new types of TPPs are introduced, namely Account Information Service Providers (‘AISPs’) and Payment Initiation Service Providers (‘PISPs’). PSD2 requires all payment account providers across the EU to provide TPPs access to their data. Until today, these types of services and service providers haven’t been regulated at least at EU level. These same providers until today did not have access to feedback information on the availability of funds on the account held by other financial institutions. PSD2 lifts this obstacle by providing for access to and sharing of these data. Furthermore, it provides for a common framework with clear conditions under which these providers can access the financial information on behalf of their customers.


These obligations stemming from the PSD2 are directly related to opening up bank data and therefore it involves establishing and/or implementing and/or constructing relevant Open Banking Services Systems/Platforms/Sites and consequently developing Open banking standards that would provide guidance on how banking data should be created, shared and used. Open banking standards need to be aligned with PSD2.


To this respect, advances in technology such as “application programming interfaces” (APIs) which allow developers to incorporate third-party data and services into their applications are critical and will play a significant and fundamental role in allowing regulators to meet their obligation in relation to the sharing of bank data. APIs may be new for the banking sector but in fact they are not something new as they have been in place for several years and have transformed other industries such as the travel industry for example. It seems that, apart from the regulatory drive to introduce APIs in the banking and financial services industry, commercial reasons and competition require banks to move to the APIs economy following the success of their implementation in other industries.


More specifically, APIs can help provide access to open data such as for example a list of products that a bank provides and secure shared access to private data such as a list of the transactions in an individual’s bank statement. It is argued that, only APIs can possibly meet the requirements of openness within banking.


In fact the UK seems to be leading the march since the UK CMA already expressed their intention for such an Open banking standard by expressly indicating that the standard is for APIs. The Open banking API standard is expected to provide the framework for how AIS provider (AISP) and PIS provider (PISP) software authenticates, accesses data and initiates payments with an Account Servicing Payment Service Providers (ASPSP).


Different approaches, however, among member states, should, in any case, provide secured mechanism for implementing best practices when it comes to user consent and authentication such as users providing login details to authenticate their identity only to their account provider and users being given a clear view of what information is being shared with AISPs, or what functionality opened up to PISPs when using the Open banking services.


Although a designated national authority shall be monitoring compliance and shall be responsible for registering and authorizing AISPs and PISPs and ensuring that ASPSPs, AISPs and PISPs are meeting their obligations under the legislation, putting in place suitable arrangements that allow firms to meet the requirements of PSD2 will be up to the industry. For example, the industry must agree and provide for the appropriate processes and possibly solutions to manage liability for damage or loss arising from unauthorized transactions initiated through a PISP or for the processes and/or methods employed in relation to possible dispute handling between an ASPSP and PISP will be up to the industry and its players.


Open banking initiatives are gradually becoming the norm. Delivering regulatory change to comply with PSD2 needs of course a proper API strategy. Hugely important and fundamental to the Open Banking success, however, is the establishment of a solid and sound API legal strategy. This involves employing the strongest legal arrangements and the best available ways to manage legal risks associated with APIs.


Addressing legal issues and managing legal risks associated with open APIs and Open Banking will be the theme of my next article.